Auth/Authorization

Community Support
,
1

I use keycloak to generate JWT token:

and have provided keycloak url for public key decode:

  • “TEMPORAL_JWT_KEY_SOURCE1=http://keycloak:8080/auth/realms/temporal/protocol/openid-connect/certs”
    • “TEMPORAL_AUTH_AUTHORIZER=default”
    • “TEMPORAL_AUTH_CLAIM_MAPPER=default”

, this entry is able to authorise only the requests going tp “temporal-system” namespace, all other requests to other namespaces is giving “unauthorised” error.

My decoded JWT token looks like this, plz review the access part and check the roles part:

{
“exp”: 1655726597,
“iat”: 1655726297,
“jti”: “9f13aaf9-6d37-49f8-bd63-73e98b768af9”,
“iss”: “http://localhost:8080/auth/realms/temporal”,
“aud”: “account”,
“sub”: “3431a865-987f-45f8-b62f-b68e0f246462”,
“typ”: “Bearer”,
“azp”: “pradnyaclient”,
“session_state”: “af5eb2aa-b9dd-4a8b-a203-d931a02b3f33”,
“acr”: “1”,
“realm_access”: {
“roles”: [
“default”,
“read”,
“offline_access”,
“admin”,
“uma_authorization”,
“default-roles-temporal”,
“write”
]
},
“resource_access”: {
“account”: {
“roles”: [
“manage-account”,
“manage-account-links”,
“view-profile”
]
}
},
“scope”: “openid profile email”,
“sid”: “af5eb2aa-b9dd-4a8b-a203-d931a02b3f33”,
“email_verified”: false,
“name”: “xyz abc”,
“preferred_username”: “xyz”,
“given_name”: “xyz”,
“family_name”: “abc”,
“email”: “xyz@gmail.com
}

2

Docs have a section on JWT format, see here.
Hope this helps.

3

to my access token i added the claim:

“permissions”: “system:admin”,

complete jwt decoded token payload looks like:

{
“exp”: 1655803219,
“iat”: 1655802919,
“jti”: “5ceead70-17ec-417f-ba9b-841194222654”,
“iss”: “http://localhost:8080/auth/realms/temporal”,
“aud”: [
“default”,
“account”
],
“sub”: “3431a865-987f-45f8-b62f-b68e0f246462”,
“typ”: “Bearer”,
“azp”: “pradnyaclient”,
“session_state”: “cf53042e-a639-4af1-a767-8f7da5a05ddb”,
“acr”: “1”,
“realm_access”: {
“roles”: [
“default”,
“system:admin”,
“offline_access”,
“uma_authorization”,
“default-roles-temporal”
]
},
“resource_access”: {
“default”: {
“roles”: [
“read”,
“admin”,
“write”
]
},
“pradnyaclient”: {
“roles”: [
“system:admin”
]
},
“account”: {
“roles”: [
“manage-account”,
“manage-account-links”,
“view-profile”
]
}
},
“scope”: “openid profile email”,
“sid”: “cf53042e-a639-4af1-a767-8f7da5a05ddb”,
“abc”: “abc:are”,
“email_verified”: false,
“permissions”: “system:admin”,
“name”: “pradnya bhalekar”,
“preferred_username”: “pradnyab”,
“given_name”: “pradnya”,
“family_name”: “bhalekar”,
“email”: “pradnyapbhalekar@gmail.com
}

still i am getting the error (for namespace “default”):

14:49:56.208 [Workflow Poller taskQueue=“WAS_TASK_QUEUE_scenarioexpansion”, namespace=“default”: 2] WARN io.temporal.internal.worker.Poller - Failure in poller thread Workflow Poller taskQueue=“WAS_TASK_QUEUE_scenarioexpansion”, namespace=“default”: 2
io.grpc.StatusRuntimeException: PERMISSION_DENIED: Request unauthorized.
at io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:271)

what is wrong with the jwt token now?